name: Forked PR workflow check

# This workflow prevents modifications to our workflow files in PRs from forked
# repositories.  Since tests in these PRs always use the workflows in the
# *target* branch, modifications to these files can't be properly tested.

on:
  # safe presubmit
  pull_request:
    branches:
      - main
      - '[0-9]+.x'
      # The 21.x branch still uses Kokoro
      - '!21.x'
      # For testing purposes so we can stage this on the `gha` branch.
      - gha
    paths:
      - '.github/workflows/**'

jobs:
  check:
    name: Check PR source
    runs-on: ubuntu-latest
    steps:
      - run: >
          ${{ github.event.pull_request.head.repo.full_name == 'protocolbuffers/protobuf' }} ||
          (echo "This pull request is from an unsafe fork (${{ github.event.pull_request.head.repo.full_name }}) and isn't allowed to modify workflow files!" && exit 1)
